Software Programs, Technology Security

Hacking Your Fingerprint: ElcomSoft Finds Security Holes in Biometric Readers

When purchasing notebooks for the enterprise, one of most common requirements is that they have a fingerprint reader, since biometric is considered safe. However, while it may be hard to fake your footprints – a gaping hole was found in the software suite which can expose all of your saved passwords.

Every time you see a fingerprint reader on a notebook/ultrabook – chances are it was manufactured by a single company. Thus, it doesn’t matter if your mobile device is an Acer, ASUS, Dell, Fujitsu, Gateway, Gigabyte, Lenovo, MSI, NEC, Samsung, Sony, Toshiba or some other vendor, the manufacturer is identical; UPEK.

UPEK Protector Suite - if this interface looks familiar, upgrade to a more contemporary software immediately
UPEK Protector Suite – if this interface looks familiar, upgrade to a more contemporary software immediately

In 2010, the company was acquired by AuthenTec, which looked to further expand its list of clients. Over the course of last two years we witnessed the replacement of UPEK software with AuthenTec TrueSuite software. However, vast majority of hardware vendors continued shipping UPEK Protector Suite, believing that the level of protection offered by the Protector Suite was "good enough." While it may seemed so at the first glance, we received quite a surprise when a security company released the results of their research. ElcomSoft, Russian security firm that specializes in password breaking software for security agencies and consumers discovered a serious flaw in the last-gen UPEK Protector Suite. The warning is quite ominous; 

"After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted. Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon."

If you’ve used the UPEK software and felt safe, the fact that hacker can access using simple registry editor/reader is something to worry about. If you use UPEK, you should upgrade to TrueSuite immediately.